This candidate revision is also a feature freeze exception because of the lateness in submitting these changes. The changes are essentially an implentation of the features detailed in the Checkbox Enhancements blueprint:
The first reason for the lateness is that the above blueprint was originally scheduled for beta-1, which happens to be way after the feature freeze limit.
This revision also includes fixes to important security vulnerabilities which were uncovered during the Ubuntu sprint. The proposed changes were initially proposed as:
- Remove /usr/share/dbus-1/system-services/com.ubuntu.checkbox.service
so that dbus no longer spawns the backend on demand.
- Daemonize the backend directly from the frontend by calling sudo in
order to run commands as root, instead of calling upon dbus to spawn
the process.
- Use the session bus instead of the system bus, passing the token from
the environment.
- Remove the NOPASSWD hack from the qa_regression_suite script and then
remove the tests requiring the sudo command from the whitelist of
tests until they are modified to run directly as root.
- In all scripts running as root, make sure to replace using /tmp by
/var/cache and also make sure that the target files are only writable
by root.
The second reason for the lateness is that it took a while to implement each of these changes since they were uncovered in early February. However, these security vulnerabilities were sufficiently significant that a new revision of Checkbox could not make it into the release unless these changes were implemented.
This candidate revision is also a feature freeze exception because of the lateness in submitting these changes. The changes are essentially an implentation of the features detailed in the Checkbox Enhancements blueprint:
https:/ /blueprints. launchpad. net/ubuntu/ +spec/lucid- qa-checkbox- enhancements
The first reason for the lateness is that the above blueprint was originally scheduled for beta-1, which happens to be way after the feature freeze limit.
This revision also includes fixes to important security vulnerabilities which were uncovered during the Ubuntu sprint. The proposed changes were initially proposed as:
- Remove /usr/share/ dbus-1/ system- services/ com.ubuntu. checkbox. service
so that dbus no longer spawns the backend on demand.
- Daemonize the backend directly from the frontend by calling sudo in
order to run commands as root, instead of calling upon dbus to spawn
the process.
- Use the session bus instead of the system bus, passing the token from
the environment.
- Remove the NOPASSWD hack from the qa_regression_suite script and then
remove the tests requiring the sudo command from the whitelist of
tests until they are modified to run directly as root.
- In all scripts running as root, make sure to replace using /tmp by
/var/cache and also make sure that the target files are only writable
by root.
The second reason for the lateness is that it took a while to implement each of these changes since they were uncovered in early February. However, these security vulnerabilities were sufficiently significant that a new revision of Checkbox could not make it into the release unless these changes were implemented.